localhost:6443 after using TLS config

wujun8 . 2013 Thu, 23 Mar 2017 00:02:09 -0700

Hi,
I enable TLS on the apiserver, the start command is:

```bash
/usr/bin/kube-apiserver --logtostderr=true --v=0 
--etcd-servers=http://centos-master:2379 --insecure-bind-address=0.0.0.0 
--secure-port=6443 --insecure-port=8080 --kubelet-port=10250 
--allow-privileged=false --service-cluster-ip-range=10.254.0.0/16 
--admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ResourceQuota
 --runtime-config=authentication.k8s.io/v1beta1=true 
--authentication-token-webhook-config-file=/etc/kubernetes/webhook.yaml 
--tls-ca-file=/etc/kubernetes/ssl/rootCA.pem 
--tls-cert-file=/etc/kubernetes/ssl/master.crt 
--tls-private-key-file=/etc/kubernetes/ssl/master.key
```


Then, restart kube-apiserver, the api in https is good from the browser,but the 
logs in /var/log/messages keeping saying that "x509: certificate is valid for 
10.0.8.107, not localhost". But why visit localhost?

Thanks!

Here's the logs:
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.213252   15113 
logs.go:41] http: TLS handshake error from [::1]:55687: read tcp 
[::1]:6443->[::1]:55687: read: connection reset by peer
Mar 23 21:55:05 k8s-master kube-scheduler: E0323 21:55:05.348590   15103 
leaderelection.go:261] Failed to update lock: endpoints "kube-scheduler" is 
forbidden: not yet ready to handle request
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.348231   15113 
trace.go:61] Trace "Update 
/api/v1/namespaces/kube-system/endpoints/kube-scheduler" (started 2017-03-23 
21:54:55.347565757 +0800 CST):
Mar 23 21:55:05 k8s-master kube-apiserver: [12.022µs] [12.022µs] About to 
convert to expected version
Mar 23 21:55:05 k8s-master kube-apiserver: [31.437µs] [19.415µs] Conversion done
Mar 23 21:55:05 k8s-master kube-apiserver: [35.075µs] [3.638µs] About to store 
object in database
Mar 23 21:55:05 k8s-master kube-apiserver: [10.000623643s] [10.000588568s] END
Mar 23 21:55:05 k8s-master kube-apiserver: E0323 21:55:05.494713   15113 
reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list 
*api.LimitRange: Get 
https://localhost:6443/api/v1/limitranges?resourceVersion=0: x509: certificate 
is valid for 10.0.8.107, not localhost
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.494741   15113 
logs.go:41] http: TLS handshake error from [::1]:55688: read tcp 
[::1]:6443->[::1]:55688: read: connection reset by peer
Mar 23 21:55:05 k8s-master kube-apiserver: E0323 21:55:05.494891   15113 
reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list 
*api.Namespace: Get https://localhost:6443/api/v1/namespaces?resourceVersion=0: 
x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.494909   15113 
logs.go:41] http: TLS handshake error from [::1]:55689: read tcp 
[::1]:6443->[::1]:55689: read: connection reset by peer
Mar 23 21:55:06 k8s-master kube-apiserver: E0323 21:55:06.222917   15113 
reflector.go:199] 
k8s.io/kubernetes/plugin/pkg/admission/resourcequota/resource_access.go:83: 
Failed to list *api.ResourceQuota: Get 
https://localhost:6443/api/v1/resourcequotas?resourceVersion=0: x509: 
certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:06 k8s-master kube-apiserver: I0323 21:55:06.222974   15113 
logs.go:41] http: TLS handshake error from [::1]:55690: read tcp 
[::1]:6443->[::1]:55690: read: connection reset by peer
Mar 23 21:55:06 k8s-master kube-apiserver: E0323 21:55:06.511313   15113 
reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list 
*api.LimitRange: Get 
https://localhost:6443/api/v1/limitranges?resourceVersion=0: x509: certificate 
is valid for 10.0.8.107, not localhost
Mar 23 21:55:06 k8s-master kube-apiserver: I0323 21:55:06.511345   15113 
logs.go:41] http: TLS handshake error from [::1]:55691: read tcp 
[::1]:6443->[::1]:55691: read: connection reset by peer
Mar 23 21:55:06 k8s-master kube-apiserver: E0323 21:55:06.511499   15113 
reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list 
*api.Namespace: Get https://localhost:6443/api/v1/namespaces?resourceVersion=0: 
x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:06 k8s-master kube-apiserver: I0323 21:55:06.511517   15113 
logs.go:41] http: TLS handshake error from [::1]:55692: read tcp 
[::1]:6443->[::1]:55692: read: connection reset by peer
Mar 23 21:55:07 k8s-master kube-apiserver: E0323 21:55:07.230919   15113 
reflector.go:199] 
k8s.io/kubernetes/plugin/pkg/admission/resourcequota/resource_access.go:83: 
Failed to list *api.ResourceQuota: Get 
https://localhost:6443/api/v1/resourcequotas?resourceVersion=0: x509: 
certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:07 k8s-master kube-apiserver: I0323 21:55:07.230951   15113 
logs.go:41] http: TLS handshake error from [::1]:55694: read tcp 
[::1]:6443->[::1]:55694: read: connection reset by peer
Mar 23 21:55:07 k8s-master kube-apiserver: E0323 21:55:07.524799   15113 
reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list 
*api.LimitRange: Get 
https://localhost:6443/api/v1/limitranges?resourceVersion=0: x509: certificate 
is valid for 10.0.8.107, not localhost
Mar 23 21:55:07 k8s-master kube-apiserver: I0323 21:55:07.524828   15113 
logs.go:41] http: TLS handshake error from [::1]:55695: read tcp 
[::1]:6443->[::1]:55695: read: connection reset by peer
Mar 23 21:55:07 k8s-master kube-apiserver: E0323 21:55:07.524977   15113 
reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list 
*api.Namespace: Get https://localhost:6443/api/v1/namespaces?resourceVersion=0: 
x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:07 k8s-master kube-apiserver: I0323 21:55:07.524995   15113 
logs.go:41] http: TLS handshake error from [::1]:55696: read tcp 
[::1]:6443->[::1]:55696: read: connection reset by peer

-- 
You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

[kubernetes-users] apiserver keeping visit https://localhost:6443 after using TLS config

Reply via email to